libpod: do not move podman with --cgroups=disabled

The expectation with --cgroups=disabled is that the current cgroup is used by the container. Currently the --cgroups=disabled is passed directly to the OCI runtime, but it doesn't stop Podman from creating a new cgroup when it doesn't own the current one. Closes: https://github.com/containers/podman/issues/20910 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2024-05-30 10:44:18 +02:00 · 2024-05-30 10:44:18 +02:00 · 900e29549a
parent 939cb83a04
commit 900e29549a
7 changed files with 50 additions and 23 deletions
--- a/cmd/podman/common/completion.go
+++ b/cmd/podman/common/completion.go
@ -58,8 +58,13 @@ func setupContainerEngine(cmd *cobra.Command) (entities.ContainerEngine, error)
 	}
 	if !registry.IsRemote() {
 		_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
+		cgroupMode := ""

-		err := containerEngine.SetupRootless(registry.Context(), noMoveProcess)
+		if flag := cmd.LocalFlags().Lookup("cgroups"); flag != nil {
+			cgroupMode = flag.Value.String()
+		}
+
+		err := containerEngine.SetupRootless(registry.Context(), noMoveProcess, cgroupMode)
 		if err != nil {
 			return nil, err
 		}
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@ -362,8 +362,12 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error {
 	// 3) command doesn't require Parent Namespace
 	_, found := cmd.Annotations[registry.ParentNSRequired]
 	if !registry.IsRemote() && !found {
+		cgroupMode := ""
 		_, noMoveProcess := cmd.Annotations[registry.NoMoveProcess]
-		err := registry.ContainerEngine().SetupRootless(registry.Context(), noMoveProcess)
+		if flag := cmd.LocalFlags().Lookup("cgroups"); flag != nil {
+			cgroupMode = flag.Value.String()
+		}
+		err := registry.ContainerEngine().SetupRootless(registry.Context(), noMoveProcess, cgroupMode)
 		if err != nil {
 			return err
 		}
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@ -95,7 +95,7 @@ type ContainerEngine interface { //nolint:interfacebloat
 	PodUnpause(ctx context.Context, namesOrIds []string, options PodunpauseOptions) ([]*PodUnpauseReport, error)
 	Renumber(ctx context.Context) error
 	Reset(ctx context.Context) error
-	SetupRootless(ctx context.Context, noMoveProcess bool) error
+	SetupRootless(ctx context.Context, noMoveProcess bool, cgroupMode string) error
 	SecretCreate(ctx context.Context, name string, reader io.Reader, options SecretCreateOptions) (*SecretCreateReport, error)
 	SecretInspect(ctx context.Context, nameOrIDs []string, options SecretInspectOptions) ([]*SecretInfoReport, []error, error)
 	SecretList(ctx context.Context, opts SecretListRequest) ([]*SecretInfoReport, error)
--- a/pkg/domain/infra/abi/system_freebsd.go
+++ b/pkg/domain/infra/abi/system_freebsd.go
@ -8,6 +8,6 @@ import (
 const defaultRunPath = "/var/run"

 // SetupRootless in a NOP for freebsd as it only configures the rootless userns on linux.
-func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, cgroupMode string) error {
 	return nil
 }
--- a/pkg/domain/infra/abi/system_linux.go
+++ b/pkg/domain/infra/abi/system_linux.go
@ -17,7 +17,7 @@ import (
 // Default path for system runtime state
 const defaultRunPath = "/run"

-func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, cgroupMode string) error {
 	runsUnderSystemd := systemd.RunsOnSystemd()
 	if !runsUnderSystemd {
 		isPid1 := os.Getpid() == 1
@ -30,6 +30,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 		}
 	}

+	configureCgroup := cgroupMode != "disabled"
+	if configureCgroup {
 		// do it only after podman has already re-execed and running with uid==0.
 		hasCapSysAdmin, err := unshare.HasCapSysAdmin()
 		if err != nil {
@ -55,6 +57,7 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 			}
 			return nil
 		}
+	}

 	pausePidPath, err := util.GetRootlessPauseProcessPidPath()
 	if err != nil {
--- a/pkg/domain/infra/tunnel/system.go
+++ b/pkg/domain/infra/tunnel/system.go
@ -13,7 +13,7 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
 	return system.Info(ic.ClientCtx, nil)
 }

-func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, cgroupMode string) error {
 	panic(errors.New("rootless engine mode is not supported when tunneling"))
 }

--- a/test/system/420-cgroups.bats
+++ b/test/system/420-cgroups.bats
@ -37,4 +37,19 @@ load helpers
    run_podman rm myc
 }

+@test "podman run --cgroups=disabled keeps the current cgroup" {
+    skip_if_remote "podman-remote does not support --cgroups=disabled"
+    skip_if_rootless_cgroupsv1
+    runtime=$(podman_runtime)
+    if [[ $runtime != "crun" ]]; then
+        skip "runtime is $runtime; --cgroups=disabled requires crun"
+    fi
+
+    current_cgroup=$(cat /proc/self/cgroup)
+
+    # --cgroupns=host is required to have full visibility of the cgroup path inside the container
+    run_podman run --cgroups=disabled --cgroupns=host --rm $IMAGE cat /proc/self/cgroup
+    is "$output" $current_cgroup "--cgroups=disabled must not change the current cgroup"
+}
+
 # vim: filetype=sh